Of course, your data should be guarded behind a hard shell (See Bryn Llewellyn presentation https://community.oracle.com/docs/DOC-1018915) but there may be some exceptional reasons to directly modify data with SQL because some information was not originally supposed to be changed, and then the application has no GUI or API for this. If all security was implemented through the application, everything is now possible when directly connected and a mistake (like a where clause predicate lost in ac copy-paste) can be critical. Flashback features are awesome to react to this kind of error, but VPD rules can be used as a proactive safeguard by allowing, by default, only a subset of data to be touched.